---------
• User opens the GlobalProtect app manually
• Clicks the “Connect” button
• Enters username/password manually
• VPN tunnel forms only when the user initiates it
User-Logon
----------
• VPN connects automatically after Windows/OS login
• Authentication happens in the background (AD SSO / SAML / Token / Certificate)
• No manual action required from the user
• Ideal for permanent remote/WFH users
Pre-Logon
---------
• VPN connects before the user enters login credentials (during system boot)
• Authentication uses a machine certificate, not user credentials
• After login → connection state transitions from Pre-Logon → User-Logon (same tunnel)
• Ideal for password reset, domain join, GPO, SCCM tasks on remote laptops
Internal Host Detection (IHD)
-----------------------------
• Determines whether the device is inside office network or outside on the Internet
• If internal FQDN resolves to internal IP → user is internal → VPN can remain disabled
• If DNS resolution fails → user is external → VPN should connect
• IHD detects location only, it does NOT build a tunnel
HIP (Host Information Profile)
------------------------------
• After the tunnel is created, firewall checks device security posture
• Validates: antivirus, disk encryption, firewall, OS patch, domain membership, installed apps, etc.
• HIP result controls access levels:
– Full access / Restricted access / Internet-only / Block
• Tunnel is not blocked by HIP — access is blocked if HIP fails
Split Tunnel
------------
• Only corporate/internal traffic goes through the VPN tunnel
• Internet traffic exits directly via local Internet
• Better performance and saves bandwidth, but lower visibility/security
Full Tunnel
-----------
• All traffic (internal + Internet) goes through the VPN tunnel
• Firewall inspects and forwards traffic afterward
• Maximum security and visibility but higher load and latency
Portal
------
• Provides configuration to the client
• During initial connection it sends:
– Login mode
– Split/Full tunnel configuration
– IHD settings
– HIP settings
– Gateway list
• Does NOT create a tunnel — only distributes configuration
Gateway
-------
• VPN tunnel is actually established here
• Performs authentication + tunnel creation + traffic inspection
• Every VPN session connects to the Gateway (even if portal is cached)
• If Gateway is down → VPN cannot connect
No comments:
Post a Comment